Practical Guidelines

By Paul Coleman

For the first time in the healthcare industry in the United States, business continuity planning and disaster recovery capability will become mandatory for all healthcare organizations. The Health Insurance Portability and Accountability Act (HIPAA), passed by the US Congress in 1996, has as part of its phased implementation “Security Guidelines,” (referring to information security), which mandate that all healthcare organizations using healthcare data comply with data security and business continuity standards within two years. The final regulations were published in the Federal Register at the end of 2000. The “Security Guidelines”, with business continuity requirements, are expected in early 2001. The penalties and fines for noncompliance will be substantial. Any organization not showing due diligence in starting this process will be in noncompliance. This legislative mandate has a strategic goal of reducing costs in healthcare by standardizing data processing, as a prelude to establishing a centralized clearinghouse for claims processing, similar to the financial industry. The financial industry is highly regulated and audited for business recovery capability by both the federal and state governments.

Currently, healthcare providers in the US are visited approximately every three years (pressure is being exerted to make this more often and even surprise) by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), which grades the entire environment of care. It is voluntary for a healthcare organization to submit to a JCAHO inspection (a high grade confers prestige), but the JCAHO does not have enforcement power and also does not consider business recovery during the inspection. It is not clear at this time which agency will be the enforcement arm of the federal government for HIPAA.

Medical centers in the US, especially in California, have well documented and well practiced emergency response plans. Healthcare providers in California have experience in “battlefield medicine,” due to a high level of societal violence and the regular occurrence of natural disasters such as earthquakes. Business recovery is different in that it considers what happens when the emergency response triage period of 24 or 48 hours is over. The business continuity plans that start implementation at the time of the disaster come to fruition while the triage period is happening, enabling the recovery of critical business functions and supporting information technology within the specified Recovery Time Objective (RTO). In healthcare, business recovery planning by definition has an automated systems focus and works with the information technology dependent business functions in the planning process. Medical care can be provided without computers or technology of any kind in triage mode, but in a matter of days when the emergency response phase is winding down, dependency on information technology increases because the goal is to return to as close to normal operations as possible. Imagine the difficulty in scheduling appointments over a diverse and geographically dispersed healthcare system without information technology.

Business Continuity According to HIPAA

The Health Care Financing Agency, part of the US Department of Health and Human Services, convened a task force to write the “Security Guidelines,” which contains a section on Business Continuity Planning and Disaster Recovery. This task force, composed of experts in information security and business recovery from healthcare and other industries, utilized standard business continuity methodology in writing “to-the-point” guidelines.

The primary “bullet” points are shown below. The detailed sub-points are available at www.disaster-resource.com.

Contingency Planning General Elements

Mapping of critical business functions to specific computer applications.

Mapping the computer applications to the platform technologies.

Impact of the business cycles (quarter end, year end) to contingency plans.

Regular update and review of contingency plans.

Clear statement of risk assumption.

Definition of minimum acceptable level of service and detailed actions to get to that level.

Specific procedures for activation and deactivation, including triggers.

Responsibilities/accountabilities during contingency operations.

Voice communications recovery planning must be done related to the overall contingency plan as well as the specific critical business units.

Business Continuity Plan Controls

Plan distribution.

Plan maintenance.

Plan testing.

Responsibilities.

Authorities.

Critical Computer Applications

Strategy for prioritization.

Change in prioritization based on shift in business cycle.

Management review/signoff.

Application dependencies/interdependencies.

Application downtime procedures, including time thresholds for invoking.

Data backup procedures.

Offsite storage capabilities.

Restoration teams and documentation.

Analysis of Recovery Time Objectives.

Analysis of Recovery Point Objectives.

Hardware backup strategies.

Software backup strategies.

Network backup strategies.

Testing procedures.

Maintenance procedures.

Business Impact Analysis and risk assessment.

Asset management inventory.

Hospital Emergency Incident Command System (HEICS)

History of HEICS

In the 1980s, an inter-agency cooperative effort was formed to develop a common organizational system which fire protection agencies could use in response to a very large incident, as well as smaller, day to day operations. The cooperative plan, known as Firescope, produced a management system that has become standard operating procedure across the United States – Incident Command System (ICS).

In 1987, the Hospital Council of Northern California completed work on an adaptation of ICS to hospital emergency response functions. This work served as the cornerstone of the original version of HEICS (1991) developed by Orange County Emergency Medical Services.

HEICS Attributes

Responsibility oriented chain of command, which provides a manageable scope of supervision.

Wide acceptance through commonality of mission and language in both the public and private sectors.

Prioritization of duties with the use of Job Action Sheets, position job descriptions which have a prioritized list of emergency response tasks that promote documentation of the incident.

Applicability to varying types and magnitudes of emergency events, a flexible program which can be expanded or scaled back to meet the particular needs of a specific crisis.

Thorough documentation of actions taken in response to the emergency, which may improve recovery of financial expenditures.

HEICS Structure

The HEICS structure is a chain of command which incorporates four sections under the overall leadership of the Emergency Incident Commander (IC). Each of the four sections – Operations, Logistics, Planning and Finance – has a Section Chief. The hospital or organization’s disaster/emergency plan must be modified to incorporate the newly developed business recovery team structure.

There should be an Emergency Operations Center (EOC) and emergency management system in place that incorporates business recovery teams and the infrastructure necessary to support recovery. HEICS must therefore be modified to incorporate business recovery concerns. Existing HEICS job action sheets (checklists) should be expanded. Disaster drills and exercises should include business recovery elements.